Yes, I understand that, but I think it's been proven so far that Apache is less susceptible to things like that. IIS is another issue, but then, that's not the topic. My point was that if tomcat can be configured to only accept requests from a webserver, the onus for "hardening" is no longer tomcat's problem.
John Turner [EMAIL PROTECTED] -----Original Message----- From: Mike Jackson [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 25, 2002 2:12 PM To: Tomcat Users List Subject: RE: Hardening Tomcat 3.2.4 Whatever web server which is acting as the front end to tomcat is still vulnerable to "strange" requests (ie code red and the like), that's what the higher end firewalls prevent. --mikej -=----- mike jackson [EMAIL PROTECTED] -----Original Message----- From: Turner, John [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 25, 2002 11:02 AM To: 'Tomcat Users List' Subject: RE: Hardening Tomcat 3.2.4 Is it possible to configure tomcat to listen only on the connector ports, and not any other port, such as 8080? Seems to me you could just delete the HTTP connector from port 8080 and that would make tomcat pretty hard to mess with. Any malformed requests at that point would go through apache first, assuming an apache+connector+tomcat configuration. John Turner [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 25, 2002 2:01 PM To: Tomcat Users List Subject: Re: Hardening Tomcat 3.2.4 Mike Jackson wrote: > A firewall is probably the best way to harden tomcat. Or any web server > for that matter, however for a one good you're going to probably end up > paying a large sum of money. You could go on the cheaper side and only use > a stateful port blocking firewall, but really to do it right you'll need > a firewall that looks at data being sent to the server and then blocks > on types of data rather than just the port. Is iptables on Linux generally good enough(?), assuming the data is not all that critical. Other than its basic functions, haven't really looked at iptables to see whether it can interface with any IDS... das -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>